Across the European Union, spyware has been used to target opposition leaders, activists, journalists, and lawyers in multiple countries, calling for reforms. Recently, Google’s Threat Analysis Group announced an action to block one of these tools targeted at desktop computers, seemingly developed by a Spanish firm.
Heliconia, the exploitation framework, was brought to Google’s attention after it was anonymously submitted to the Chrome bug reporting program. It made references to vulnerabilities in Firefox, Chrome, and Windows Defender which could be exploited to deploy spyware on target devices, including Linux and Windows computers. The anonymous submission included source code from the Heliconia hacking framework, and referred to the vulnerabilities as Heliconia Noise, Heliconia Soft, and Files. Google stated that the evidence points to Variston IT, a Barcelona-based tech firm, as the hacking framework developer.
‘The findings indicate that we have many small players within the spyware industry, but with strong capabilities related to zero days,’ TAG researchers said.
Ralf Wegner, the director of Variston IT, stated that Variston was not given an opportunity to evaluate Google’s research, and thus, could not validate it. He added that he ‘would be surprised if such item was found in the wild’. Google confirmed that Variston IT was not contacted before the publication, contrary to their standard practice.
Microsoft, Google and Mozilla patched the Heliconia vulnerabilities in 2021 and 2022, and Google stated that there has been no detection of any current exploitation of the bugs. However, evidence in the bug submissions suggested that framework was used to exploit the flaws in 2018 and 2019, long before they were patched.
Heliconia Noise exploited a Chrome sandbox escape and renderer vulnerability, while Heliconia Soft made use of a malicious PDF laced with a Windows Defender exploit. Files deployed some Firefox exploits for Linux and Windows.
Google’s lack of evidence of exploitation imply that the Heliconia framework is now dormant, but it could also mean that the hacking tool has evolved. ‘It could be there are other exploits, a new framework, their exploits didn’t cross our systems, or there are other layers now to protect their exploits,’ TAG researchers said.
The group stated that its ultimate goal with this research to shed more light on the methods, abuses, and technical capabilities of the commercial spyware industry. The researchers designed detections for Google’s Safe Browsing service to caution against Heliconia-related files and sites, emphasizing that it is important to always update the software.
‘The growth of the spyware industry puts users at risk and makes the internet less safe. And while surveillance technology may be legal under national or international laws, they are often used in harmful ways to conduct digital espionage against a range of groups,’ the researchers wrote.
By Marvellous Iwendi.